Beyond Internet security to risk management

Menu

Detection is much more important than prevention –Bruce Schneier

Reviewing Bruce Schneier’s 2004 book Secrets and Lies,
much of which was written in 2000, reminds us of something really basic.
You can’t just fix security.
Security is a process, most of which is about knowing what’s going on.
Detection is more important than prevention.
To which I add that for detection we need comparable Internet-wide metrics
on security performance so every organization can see
what’s going on and will have incentive to do something about it
because its customers and competitors can see, too.
Sound familiar?
That’s what
SpamRankings.net is about.

2. “Detection is much more important than prevention”

Schneier keeps coming back to this point. He had this epiphany in
1999 that “it is fundamentally impossible to prevent
attacks” and “preventative countermeasures fail all the
time.” Security is “about risk management, that the
process of security was paramount, that detection and response was
the real way to improve security.” (emphasis mine)

I had formerly thought of security as largely being about
prevention. A year ago, if you have asked me about
“InfoSec” I might have prattled on about firewalls,
injection attacks, encryption and good passwords. That’s still
important, but now I know that there’s a lot more to it.

Zack says he thinks Schneier was like Nostradamus for having such
insight before
NSA PRISM and even before Facebook.
Sure, Bruce has always been ahead of his time.
But that basic insight was not unique to him, and long predates 2004 or 2000.
For example,
I wrote in 2004:

Maybe what the Internet needs is more cooperative decentralization,
and new means to achieve it.

I was referring specifically to an event back in 1996 when Bob Metcalfe
ended up eating his hat because when he saw my data on Internet performance
improving he had to admit the Internet wasn’t in danger of imminent
collapse even though it wasn’t centrally run like AOL.

Decentralized cooperation is one of the founding principles of the Internet,
and of the ARPANET before it, all the way back to 1969.

What we’ve been missing in the current Internet is sufficent transparency
in the form of frequent, regular, comparable, Internet-wide metrics.
Joe Zack is discouraged by Bruce Schneier’s insight.
I’m encouraged by the reminder, because we have the means to get that
missing transparency.